cbcvebase.

Github.Com Grafana Grafana vulnerabilities

61 known vulnerabilities affecting github.com/grafana_grafana.

Total CVEs
61
CISA KEV
2
actively exploited
Public exploits
9
Exploited in wild
6
Severity breakdown
CRITICAL5HIGH18MEDIUM35LOW3

Vulnerabilities

Page 2 of 4
CVE-2022-39201P3HIGHCVSS 7.5≥ 5.0.0-beta1, < 8.5.14≥ 9.0.0, < 9.1.82024-05-14
CVE-2022-39201 [HIGH] CWE-200 Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-39201 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix th
ghsaosv
CVE-2022-39306P3HIGHCVSS 8.1≥ 8.0.0, < 8.5.15≥ 9.0.0, < 9.2.42024-05-14
CVE-2022-39306 [HIGH] CWE-20 Grafana Email addresses and usernames can not be trusted Grafana Email addresses and usernames can not be trusted Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes moderate severity security fixes for CVE-2022-39306. We are also releasing security patches for Grafana 8.5.15 to fix these issues. Release 9.2.4, latest patch, also containing security fix: - [Download Grafana 9.2.4](https://grafana.com/grafana/download/9.2.4
ghsaosv
CVE-2021-41244P3CRITICAL≥ 8.0.0, < 8.2.42024-05-14
CVE-2021-41244 [CRITICAL] CWE-610 Grafana Fine-grained access control vulnerability Grafana Fine-grained access control vulnerability ### Impact On Nov. 2, during an internal security audit, we discovered that when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in whi
ghsaosv
CVE-2026-27877P3MEDIUM≥ 9.3.0≥ 12.0.0+4 more2026-03-27
CVE-2026-27877 [MEDIUM] CWE-200 Grafana public dashboards disclose all direct mode datasources Grafana public dashboards disclose all direct mode datasources When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
ghsaosv
CVE-2026-33380P3MEDIUM≥ 0, < 1.9.2-0.20260513165311-fb7336fc36c12026-05-13
CVE-2026-33380 [MEDIUM] CWE-552 Grafana: SQL Expressions Read File From Disk Grafana: SQL Expressions Read File From Disk A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
ghsa
CVE-2019-19499P3MEDIUM≥ 0, < 6.4.42024-01-31
CVE-2019-19499 [MEDIUM] CWE-200 Grafana Arbitrary File Read Grafana Arbitrary File Read Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.
ghsaosv
CVE-2023-4822P3MEDIUM≥ 0, ≤ 10.1.52023-10-16
CVE-2023-4822 [MEDIUM] CWE-269 Grafana privilege escalation vulnerability Grafana privilege escalation vulnerability Grafana is an open-source platform for monitoring and observability. The vulnerability impacts instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations. It also allows an Organization Admin to
ghsaosv
CVE-2024-1313P3HIGH≥ 9.5.0, < 9.5.18≥ 10.0.0, < 10.0.13+3 more2024-04-05
CVE-2024-1313 [HIGH] CWE-639 Grafana: Users outside an organization can delete a snapshot with its key Grafana: Users outside an organization can delete a snapshot with its key ### Summary The ***DELETE /api/snapshots/{key}*** endpoint allows any Grafana user to delete snapshots if the user is NOT in the organization of the snapshot ### Details An attacker (a user without organization affiliation or with a "no basic role" in an organization other than the one where the dashboard exists), know
ghsaosv
CVE-2022-35957P3MEDIUMCVSS 6.6≥ 9.1.0, < 9.1.6≥ 9.0.0, < 9.0.9+1 more2024-05-14
CVE-2022-35957 [MEDIUM] CWE-290 Grafana Escalation from admin to server admin when auth proxy is used Grafana Escalation from admin to server admin when auth proxy is used Today we are releasing Grafana 9.1.6, 9.0.9, 8.5.13. This patch release includes a Moderate severity security fix for CVE-2022-35957 that affects Grafana instances which are using Grafana [Auth Proxy](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/#configure-auth-p
ghsaosv
CVE-2022-31123P3HIGHCVSS 7.8≥ 9.0.0, < 9.1.8≥ 7.0.0, < 8.5.142024-05-14
CVE-2022-31123 [HIGH] CWE-347 Grafana Plugin signature bypass Grafana Plugin signature bypass Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31123 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also containing security fix: - [Download Grafana 9.2](https://grafana.com/grafana/download/9.2) Release 9.1.8, only
ghsaosv
CVE-2023-0507P3MEDIUM≥ 8.1.0, < 8.5.21≥ 9.0.0, < 9.2.13+1 more2023-03-01
CVE-2023-0507 [MEDIUM] CWE-79 Grafana vulnerable to Cross-site Scripting Grafana vulnerable to Cross-site Scripting Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instanc
ghsaosv
CVE-2023-2183P3MEDIUM≥ 0, < 8.5.26≥ 9.0.0, < 9.2.19+3 more2023-06-12
CVE-2023-2183 [MEDIUM] CWE-284 Grafana has Broken Access Control in Alert manager: Viewer can send test alerts Grafana has Broken Access Control in Alert manager: Viewer can send test alerts ### Summary Grafana allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for in the Viewer role. **Reason for the error**: The API does not check access to this function and allows it by users with the least rights, for example, the View
ghsaosv
CVE-2023-0594P4MEDIUM≥ 7.0.0, < 8.5.21≥ 9.0.0, < 9.2.13+1 more2023-03-01
CVE-2023-0594 [MEDIUM] CWE-79 Grafana vulnerable to Cross-site Scripting Grafana vulnerable to Cross-site Scripting Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs
ghsaosv
CVE-2022-21702P4MEDIUMCVSS 5.4≥ 2.0.0-beta1, < 7.5.15≥ 8.0.0, < 8.3.52024-05-14
CVE-2022-21702 [MEDIUM] CWE-79 Grafana proxy Cross-site Scripting Grafana proxy Cross-site Scripting Today we are releasing Grafana 8.3.5 and 7.5.15. This patch release includes MEDIUM severity security fix for XSS for Grafana. Release v.8.3.5, only containing security fixes: - [Download Grafana 8.3.5](https://grafana.com/grafana/download/8.3.5) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-5/) Release v.7.5.15, only containing security fixes: - [
ghsaosv
CVE-2021-43815P4HIGHCVSS 7.5≥ 8.0.0-beta3, < 8.3.22024-05-14
CVE-2021-43815 [HIGH] CWE-22 Grafana directory traversal for .cvs files Grafana directory traversal for .cvs files Today we are releasing Grafana `8.3.2` and `7.5.12`. This patch release includes a moderate severity security fix for directory traversal for arbitrary `.csv` files. It only affects instances that have the developer testing tool called [TestData DB data source](https://grafana.com/docs/grafana/latest/datasources/testdata/) enabled and configured. The vulnerability is limited in sc
ghsaosv
CVE-2025-41117P4MEDIUM≥ 12.2.0, < 12.2.5≥ 12.3.0, < 12.3.32026-02-12
CVE-2025-41117 [MEDIUM] CWE-79 Grafana has a Cross-site Scripting issue Grafana has a Cross-site Scripting issue Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.
ghsa
CVE-2025-3454P4MEDIUM≥ 0.0.0-20210414170620-dadccdda06e6, < 0.0.0-20250424191517-1f707d16ed5d2025-06-02
CVE-2025-3454 [MEDIUM] CWE-285 Grafana's datasource proxy API allows authorization checks to be bypassed Grafana's datasource proxy API allows authorization checks to be bypassed This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources th
ghsaosv
CVE-2023-22462P4MEDIUM≥ 9.2.0, < 9.2.10≥ 9.3.0, < 9.3.42023-03-01
CVE-2023-22462 [MEDIUM] CWE-79 Grafana vulnerable to Stored Cross-site Scripting in Text plugin Grafana vulnerable to Stored Cross-site Scripting in Text plugin ### Description On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React's render cycle that will pass tho
ghsaosv
CVE-2023-2801P4HIGH≥ 0, < 9.4.12≥ 9.5.0, < 9.5.32023-06-06
CVE-2023-2801 [HIGH] CWE-662 Grafana Missing Synchronization vulnerability Grafana Missing Synchronization vulnerability Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directl
ghsaosv
CVE-2024-6322P4MEDIUM≥ 11.1.0, < 11.1.1≥ 11.1.2, < 11.1.3+2 more2024-08-20
CVE-2024-6322 [MEDIUM] CWE-266 Grafana plugin data sources vulnerable to access control bypass Grafana plugin data sources vulnerable to access control bypass Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.
ghsaosv
Github.Com Grafana Grafana vulnerabilities | cvebase